add cilium gateway

clusters/cl01tl/standalone/cilium/templates/cilium-load-balancer-ip-pool.yaml

@@ -11,3 +11,5 @@ spec:
   blocks:
     - start: "10.232.1.21"
       stop: "10.232.1.23"
+    - start: "10.232.2.10"
+      stop: "10.232.2.100"

clusters/cl01tl/standalone/cilium/templates/gateway.yaml

@@ -0,0 +1,45 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: tls-gateway
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: tls-gateway
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-issuer
+spec:
+  gatewayClassName: cilium
+  addresses:
+    - type: IPAddress
+        value: 10.232.2.10
+  gatewayClassName: cilium
+  listeners:
+    - allowedRoutes:
+        namespaces:
+          from: All
+      name: ssh
+      port: 22
+      protocol: TCP
+    - allowedRoutes:
+        namespaces:
+          from: All
+      hostname: '*.alexlebens.net'
+      name: http
+      port: 8000
+      protocol: HTTP
+    - allowedRoutes:
+        namespaces:
+          from: All
+      hostname: '*.alexlebens.net'
+      name: https
+      port: 8443
+      protocol: HTTPS
+      tls:
+        certificateRefs:
+          - group: ''
+            kind: Secret
+            name: https-gateway-cert
+            namespace: kube-system
+        mode: Terminate

clusters/cl01tl/standalone/cilium/values.yaml

@@ -34,7 +34,9 @@ cilium:
   ingressController:
     enabled: false
   gatewayAPI:
-    enabled: false
+    enabled: true
+    enableAlpn: true
+    enableAppProtocol: true
   externalIPs:
     enabled: true
   socketLB:
@@ -67,13 +69,15 @@ cilium:
     serviceMonitor:
       enabled: true
   envoy:
+    enabled: true
     securityContext:
       capabilities:
+        keepCapNetBindService: true
         envoy:
           - NET_ADMIN
+          - NET_BIND_SERVICE
           - PERFMON
           - BPF
-        keepCapNetBindService: true
     prometheus:
       enabled: true
       serviceMonitor: